Identity Management & Digital Signatures in the ... · Organizational Identity Management Issues Scalability – Different risk factors may require different levels of certificate

Identity Management & Digital Signatures in the

BioPharmaceutical Industry

Identity Management & Digital Identity Management & Digital Signatures in the Signatures in the

BioPharmaceutical IndustryBioPharmaceutical IndustryJohn Hendrix; Program Director

CTST 2009

© 2009 SAFE-BioPharma Association

2 © 2009 SAFE-BioPharma Association

Overview

Conducting Business in the Electronic World

Regulatory & Legal Issues

Introduction to SAFE-BioPharma Association

How SAFE-BioPharma Members Overcome these Hurdles

Summary



John Hendrix; Program Director

CTST 2009


Business Trends in the Biopharmaceutical Community

Revolution in life sciences and medical technology:• Changing the way we live• Expensive, complex, geography, many players

Need to improve safety, quality, development times:• Paper costs must be reduced : 40% of R&D costs; 33% all healthcare costs• Must look for ways to speed processes

Need to improve efficiencies, reduce costs;• Shift to eClinical• eRegulatory processes• eHealthcare, e.g., UK, France, US

4

There is a pressing need to better allocate healthcare resources to deliver more new medicines and services to

patients, faster and safely.


Business Drivers in the Electronic World

Business Process Improvement– Standards based – Interoperate regardless of technology or vendor – Identity Management

• Trust people’s identities, how do I know who is on the other end of a transaction• Establish risk based methods to confirm and authenticate identity

– Digitally sign documents• Eliminate wet signatures

– Eliminate multiple user IDs & passwords

Regulatory Requirements– How is the eCTD implemented?

Legal Drivers– Patent Protection

Trust/Identity Management Drivers– How do I know…

Interoperability with Business Partners and Regulators


Regulatory and Legal Issues

Regulatory and Legal Issues


CTST 2009


7

Regulatory Requirements

Sarbanes-OxleyHIPAA

FDA 21 CFR Part 11e-SIGN

PIPEDA

IDABC

EU BridgeJapan

Privacy

Basel II

Control Frameworks:EAL, ETSI, ISO, NIST

Policy alignment and consistency is essential

Regulations all have an impact on your identity management strategy

Conflicting regulations increase risks and costs especially depending on geography

EUDRALEX

Import/Export JPKIEU Directives

US Bridge


E-sig & D-sig Definitions

What is an Electronic Signature?• Data in electronic form which is attached to or logically associated with other

electronic data and which serve as a method of authentication. • An electronic sound, symbol, or process, attached to or logically associated with

a record and executed or adopted by a person with the intent to sign the record.

What is a Digital Signature?• A specific type of Electronic Signature.• The Signature is based upon cryptographic methods of originator authentication,

computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.

Only specific digital signatures, generated under the requirements of the EU Directive will qualify as an “advanced electronic signature” in the EU

Only “advanced electronic signature” are legal equivalent of handwritten signatures


A Comparison of Electronic and Digital Signature Features for the US and EU


Introduction to SAFE-BioPharma AssociationIntroduction to SAFE-

BioPharma Association


CTST 2009


Who is SAFE-BioPharma?

SAFE-BioPharma is a strategic initiative of the global biopharmaceutical industry to facilitate transformation to fullyelectronic SAFE-BioPharma is a member-governed, not-for-profit enterprise

– SAFE-BioPharma standard – Legal and contractual framework – Bridge Trust infrastructure – SAFE-BioPharma identity credentials– Digital Signatures– Authentication

• Multi-factor– SAFE-BioPharma-enabled products

SAFE-BioPharma-BioPharma Association– Amgen - AstraZeneca - Premier– BMS - GSK - Abbott – Genzyme - J&J - Lilly– Merck - Organon - MedNet World– Pfizer - P&G - Novartis– Roche - Sanofi-Aventis


12

The SAFE-BioPharma Standard

Business– Operating Policies– Contracts– Processes

Technical & Identity – Certificate Policy (PKI)– Specifications– Guidelines

Agree to Accept digitally signed transactionsAgree to limited liability capsAgree to dispute resolutionAgree to identity assurance Agree to self-audit & meet SAFE-BioPharma requirements

Identity verificationIdentity life cycle managementComply with referenced standardsFollow security, audit & control requirementsCertification

The SAFE-BioPharma Standard is the Only Complete Set of Managed Business and Technical Policies, Procedures and Agreements for Digital Signing and

Authentication in the Global BioPharma and Healthcare Communities to Foster

Interoperability, Regulatory, and Legal Compliance


How SAFE-BioPharma Members Overcome

These Hurdles

How SAFE-BioPharma Members Overcome

These Hurdles


CTST 2009


The SAFE-BioPharma Digital Certificate


SAFE-BioPharma Compliant Digital Signatures…

SAFE-BioPharma

Digital Signatures

Overcome...

....While Enabling 1)Trust and Communication Among Members and All Stakeholders, 2) Platform/Program and Process Interoperability, 3)

Regulatory and Legal Compliance, and 4) Risk Mitigation

Help Members Overcome the Simple Electronic Signature Shortfalls such as…


Organizational Identity Management Issues

Scalability– Different risk factors may require different levels of certificate

• Differing methods of identity verification provide the ability to support multiple identity assurance levels

Flexibility– Two assurance levels, based on the identity verification process, and four

certificate types• Basic Assurance Software, Medium Assurance Software, Medium Assurance

Hardware, Roaming Digital ID (Medium Assurance Software)– As the level rises, so does the ability to strongly assert the identity

Collaborative development and partnering opportunities– Access to partner systems– User name and password management

Requirements for electronic submissions and electronic records– Agencies establish e-submission guidance and regulations

Current hybrid systems do not support– Most built around scanned signatures to PDF but still require paper retention


Options for Flexible Use

Two levels of trust:– Basic Assurance for authentication– Medium Assurance for trusted identity uniquely linked to

authentication, digital signature and EU-qualified

Three digital signing technologies:– Software– Hardware (zero footprint now undergoing FIPS certification)– Roaming

Three identity-proofing options– Antecedent – enterprise and on-line– Trusted agent– Notary – including office/home notary services


Member Public Key Infrastructure Options

Internal infrastructure– Cross certified with SAFE Bridge– BMS, J&J – soon others

Outsourced infrastructure– Cross-certified with SAFE Bridge:

• Chosen Security • Citibank • IdenTrust• Trans Sped• Verizon Business/Cybertrust

SAFE tiered services infrastructure (member-funded)– External partners – Regulatory uses– Healthcare providers– Members


The Global BioPharma eBusiness Challenge

CRO(s)

Research Sites/

Investigators

Trade/supplypartner(s)

Ethics Committees

Biopharma1

Biopharma 2

Biopharma 3

EMEA

EU MS1

EU MS2

EU MS…n

MHLW

FDA

If tackled independently recipe for management nightmare


Netherlands

Simplifying Trust

EU Bridge

SAFE-BioPharma

Bridge

US Federal Bridge

J&J

BMS

Sanofi-Aventis

Chosen

CITIGroupCybertrust

Identrust

Transped

HHS

FDA

EMEA UK

France

Germany

MHRA

AFSSAPSBfARM MEB


Organization Pilots and ImplementationsAbbott ELN

Amgen ELN, Clinical Research Info Exchange (CRIX)

AstraZeneca ELN, eSubmissions (US); Investigator Portal; Global infrastructure

BMS ELNs; Promotional material review (EU); eSubmissions; alliances

CDC-MedNet-SAFE-BioPharma Cross-jurisdictional public health-disease surveillance

EMEA EudraVigilance; eCTDs, regulatory submissions

GSK eSubmissions, R&D docs; Global infrastructure

J&J 90,000+ employees; eSubs; External partners; Records

Eli Lilly eSubmissions

Merck ELN

National Notary Association Digital Notary Signature

Pfizer ELNs; eSubmissions; contracts/SOWs; investigator portal

P&G ELNs; contracts; HR

Premier Supplier and member contracts

Sanofi-Aventis ELNs, eSubmissions; Finance and Purchasing

SAFE-BioPharma Pilots & Implementations

Summary

SAFE-BioPharma meets Requirements for ubiquitous IT adoption

An Identity Management Trust Infrastructure – Mitigate risk – Secure infrastructure that ensures privacy & confidentiality

Business process improvement for both industry and regulators– Reduce cost– Increase productivity– Reduce cycle times

Mandated globally accepted standards

Develop Global Regulatory compliance strategy

Vendor/technology neutral – interoperable

Legally enforceable

Collaborate with Healthcare industry


Documents

Identity Management & Digital Signatures in the ... · Organizational Identity Management Issues Scalability – Different risk factors may require different levels of certificate